The EntityIdentifier ref in AccessEntity refers to a variable that identifies the developer to be referenced. There are multiple types of data you can pass in to identify the developer (developeremail, developerid, appid, consumerkey). It is best to include the type of data being used in the EntityIdentifier element. In the example below, the consumer key is stored in the variable client_id:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessEntity async="false" continueOnError="false" enabled="true" name="access-developer-attribute">
<DisplayName>AccessEntity Developer Attribute</DisplayName>
<EntityIdentifier ref="client_id" type="consumerkey"></EntityIdentifier>
<EntityType value="developer"></EntityType>
</AccessEntity>
Also, your AssignMessage policy is not correctly retrieving from the AccessEntity.access-developer-attribute variable. You need curly braces around the variable name, otherwise the payload will be the text "AccessEntity.access-developer-attribute".
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="convert-accessentity-xml-to-message-request">
<DisplayName>Convert AccessEntity Xml To Message Request</DisplayName>
<Set>
<Payload type="text/xml">{AccessEntity.access-developer-attribute}</Payload>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="true" transport="http" type="request">accessentity.XYZ-attribute</AssignTo>
</AssignMessage>
You'll notice also that I've deleted unused fields in the policies. This makes the policies more readable.
Your ExtractVariables and JavaScript should work fine.